JRuby 1.7.3 Released

Thursday, February 21 2013

The JRuby community is pleased to announce the release of JRuby 1.7.3

Alert Please note the primary reason for putting out 1.7.3 was to address two security issues. Everyone should upgrade to 1.7.3 (details on security issues below).

Note: This was a condensed release due to wanting to put out security fixes. If the bugs you are waiting for have not been fixed we will be fixing them for 1.7.4.

JRuby 1.7.3 is our third update release since JRuby 1.7.0. The primary goal of 1.7 point releases is to fill out any missing compatibility issues with Ruby 1.9.3. The community participation lately has been great. Keep reporting issues and sending pull requests.

Changes of note:

Security fix (no CVE) for DOS using entity expansion in REXML

Security fix (CVE-2013-0269) for unsafe object creation using JSON

Relicensed from CPL to EPL

Fixed one regression in windows java native launcher

A few encoding issues resolved

42 issues fixed for 1.7.3

Note: These next two sections are write-ups by Aaron Patterson on the security issues. JRuby 1.7.3 fixes both of these issues. You only need to be aware of workarounds if it is impossible for you to update JRuby to version 1.7.3.

Rexml DOS Fix

Impact

When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.

Impacted code will look something like this:

document = REXML::Document.new some_xml_doc
document.root.text

When the text method is called, entities will be expanded. An attacker can send a relatively small XML document that, when the entities are resolved, will consume extreme amounts of memory on the target system.

Note that this attack is similar to, but different from the Billion Laughs attack. This is also related to CVE-2013-1664.

All users running an affected release should either upgrade or use one of the work arounds immediately.

This monkey patch will limit the size of the entity substitutions to 10k per node. REXML already defaults to only allow 10000 entity substitutions per document, so the maximum amount of text that can be generated by entity substitution will be around 98 megabytes.

Impact

When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack.

The same technique can be used to create objects in a target system that act like internal objects. These “act alike” objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails.

Impacted code looks like this:

JSON.parse(user_input)

Where the user_input variable will have a JSON document like this:

{"json_class":"foo"}

The JSON gem will attempt to look up the constant “foo”. Looking up this constant will create a symbol.

In JSON version 1.7.x, objects with arbitrary attributes can be created using JSON documents like this:

{"json_class":"JSON::GenericObject","foo":"bar"}

This document will result in an instance of JSON::GenericObject, with the attribute “foo” that has the value “bar”. Instantiating these objects will result in arbitrary symbol creation and in some cases can be used to bypass security measures.

PLEASE NOTE: this behavior does not change when using JSON.load. JSON.load should never be given input from unknown sources. If you are processing JSON from an unknown source, always use JSON.parse.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Workarounds

For users that cannot upgrade, please use the attached patches. If you cannot use the attached patches, change your code from this:

JSON.parse(json)

To this:

JSON.parse(json, :create_additions => false)

If you cannot change the usage of JSON.parse (for example you’re using a gem which depends on JSON.parse like multi_json), then apply this monkey patch: